Saturday, November 2, 2013

Retire.js - Command line Scanner and Chrome plugin

Retire.js identify JavaScript libraries with known vulnerabilities in your application

Retire.js is a command line scanner that helps you identify dependencies with known vulnerabilites in your application. Using the provided Grunt plugin you can easily include Retire.js into your build process. Retire.js also provides a chrome extension allowing you to detect libraries while surfing your website.

To detect a given version of a given component, Retire.js uses
filename or URL. If that fails, it will download/open the file and look
for specific comments within the file. If that also fails, there is the
possibility to use hashes for minified files. And if that fails as well,
the Chrome plugin will run code in a sandbox to try to detect the
component and version. This last detection mechanims is not available in
the command line scanner, as running arbitrary JavaScript-files in the
node-process could have unwanted consequences. If anybody knows of a
good way to sandbox the code on node, feel free to register and issue or
contribute. It's important to note that even though your site is using a
vulnerable library, that does not necessarily mean your site is
vulnerable. It depends on whether and how your site exercises the
vulnerable code. That said, it's better to be safe than sorry. More Info and Download:https://github.com/bekk/retire.js